My Drupal 7.28 site has been hacked through the the tmp dir which was not protected by .htaccess file. The hacker managed to delete the main .htaccess file and upload some bogus google docs 2014 directory with php files to the site. After some work I managed to fix the site by getting rid of the offending php files and replacing the .htaccess files. Everything is fine now except that he/she managed to create a phishing form called gmail_webmail.html which originally comes with Google docs. This form which was originally a file he uploaded and I deleted is still viewable on my site. I don't know how he did it. There is no html file called gmail_webmail.html in the root Drupal directory yet when I go to www.mysite/gmail_webmail.html I get this form which Norton blocks right away. Google also warned me of the existence of this form. It is not a module as far as I can tell. Can anyone help? Thank you in advance.
-
1"Everything is fine now except ..." someone else has complete control over my web server. – schroeder Jul 03 '14 at 15:21
-
Have you performed a file search for the file outside of your Drupal directory? – schroeder Jul 03 '14 at 15:21
2 Answers
Everything is fine now
no. some 3rd party had write-access to your server and you dont know what mailicous stuff is left behind.
Can anyone help?
yes, get a professional to help you, this is serious since you are putting your users at risk.
- 3,476
- 17
- 26
If you have backups of your site, I would remove all of your files and start again from a known good backup. I would imagine there is a tiny bit of code somewhere redirecting to this bad page, probably buried in a comment or obfuscated to look harmless.
Change the passwords to all of your admin areas, webmail consoles, SSH, ftp access etc.
It might also help to google the first line of whatever file is being displayed, as this may show you similar sites which have been hacked or blogs which give you a bit more info on how it maintains persistence.
- 552
- 5
- 12
-
+1 - nuke from orbit is always the most reliable method to clean up a compromised system. – Philipp Jul 03 '14 at 14:09
-
Thanks. I have no good backup. I just started out. I went ahead and rebuilt the site from scratch. – mark.sasson7 Jul 03 '14 at 20:39
-
Great, well next time make sure you take backups of your site files, database content and also only add extensions you know about and make sure they are updated in line with security advisories. Not sure if it's the same for Drupal, but Joomla maintains a vulnerable extensions directory, you might like to look for something similar in drupal – TimC Jul 03 '14 at 21:18